Network Tools

• Freely available for Windows and Unix/Linux
• Sniffer/protocol analyzer 
• www.ethereal.com
  

Analyzing

• At the application level
• IP, ICMP, TCP, UDP, HTTP...
• Ability to customize filtering
• ie, only show me packets to or from hosta
  

Linux Requirements

• libpcap
• Allows you to capture packets in promiscuous mode from Ethernet networks
  
• ethereal-gnome
• GUI interface for ethereal
  
• ethereal
• Command line interface, plugins and documentation
  

The GUI

• Three main windows
• more specific from top to bottom 

Top

• List of packets collected during capture
• Select a packet here, details shown below

Middle

• Displays a tree view of the an individual packet
• Information is layered like the OSI model
• Frame, Ethernet, IP, TCP, HTTP

Bottom

• Shows the data part of the packet
• Whatever you select in the middle window gets highlighted in the data window

Preferences

• Under Edit
• Printing, Column choices, TCP Stream colors, User Interface behavior, Capture (real time, promiscuous, interface, Name resolution, Protocols

Begin Capture

• Capture - Start -> brings up capture options similar to preferences -> OK
• In browser go to google.com
• Stop Capture
  

Examine the packets by protocol

• ARP
• Used to locate MAC address of default gateway if not already cached

• TCP 3-way handshake
• SYN, SYN/ACK, ACK

No. Time        Source            Destination     Protocol   Info
 1 0.000000    192.168.1.20      216.239.57.99    TCP      33443 > http [SYN] Seq=3856578415 Ack=0 Win=5840 Len=0

 2 0.033167    216.239.57.99     192.168.1.20     TCP      http > 33443 [SYN, ACK] Seq=2319257119 Ack=3856578416 Win=8190 Len=0

 3 0.033222    192.168.1.20      216.239.57.99    TCP      33443 > http [ACK] Seq=3856578416 Ack=2319257120 Win=5840 Len=0

• HTTP
• GET / HTTP/1.1
• Gets the default page at google

Filtering

• Can be done before or after the capture
• Before: Capture Filters
  
• After: Display Filters 
• Edit -> Display Filters
• Create a filter string by clicking Add Expression, scroll down and expand IP
• Select Source or Destination Address, on right, select ==, enter the IP number (192.168.1.20), click Accept
• Give the filter a name, ie, To and From 192.168.1.20
• Click the New button, Click Save, then Close
• Using the new filter
• Click the Filter button on the bottom left corner of the Ethereal capture screen
• Select the name of your new filter, click Apply